Lab Write-up: Linux CLI — Identifying Incorrect File Extensions

Course: Security Blue Team — BTJA

Objective: Use Linux command-line tools to identify, investigate, and restore files with mismatched extensions to uncover hidden data.

1. Initial Discovery

The primary challenge in this lab is that several files have been renamed with incorrect extensions (e.g., a .png renamed to .txt). This is a common "low-level" obfuscation technique.

Key Tool: The `file` Command

The most important takeaway is that extensions do not define file types in Linux. The file command reads the header structure (magic bytes) to tell you what the file actually is.

Press enter or click to view image in full size

Command used: file <filename>

Q1.There are two files with incorrect extensions, what are their filenames? (Without the file extensions, in the format: filename1 filename2)

Answer. doggo pancakerecipe

2. Reading File

Look for any files that contain hidden messages! (This will be covered more in-depth during the Steganography section)
Using the command strings which will print any human-readable strings to the terminal
Another command we can use is head, which will output the first part of a file to our terminal, which by default will be 10 lines

Q2.What is the phrase on line 8 of the first text file you come across.

Answer. there’s a snake in my boot

3.Uncovering Hidden Images

During the investigation, two files in the /Home/ directory were identified as disguised:

pancakerecipe.txt was identified as PNG image data.
doggo.zip was identified as JPEG image data.

Restoration Process

To view these files properly, we used the mv (move/rename) or cp (copy) command to give them their rightful extensions:

Bash

sudo cp pancakerecipe.txt pancakerecipe.png
sudo cp doggo.zip doggo.jpeg

Note: sudo was required due to restricted directory permissions.

4. Decoding the Secret Message

The restored pancakerecipe.png contained a visual string:

Open file using xdg tool

Press enter or click to view image in full size

Q3. One of these incorrect extension files hides a message, what is it?

By taking the first letter of each word in the NATO Phonetic Alphabet, the secret message is revealed as: SECRET.

5. Searching for Specific Content

Q4. There is a text file with the string “bankdetails” as part of the filename. What is the full filename? (Including file extension)

To find the bankdetails file buried in subdirectories, we used the find command. This is much faster than manually clicking through folders.

Get Eeshan Agrawal’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

Command used: find . -name "*bankdetails*"

This revealed the file at:

./PersonalFiles/Work Stuff/11_09_2019_statement_bankdetails.txt

Answer: 11_09_2019_statement_bankdetails.txt

6. Identify Total Number of Images

Q5. How many images are in the /Home/ directory? (Including files that SHOULD be images, if any)

To answer this correctly, we need to count every file in the top-level /Home/ directory that is either an image by extension OR a file that you discovered "should" be an image (based on your previous work with the file command).

The Count Breakdown

Looking at the output of ls -al for the ~/SBT_LAB/SBT_Linux_CLI-2/Home directory:

chuwi-herobook-header.jpg: A standard image file.
dinosaur_angry.jpeg: A standard image file.
doggo.jpeg: (This is the copy you made of doggo.zip).
doggo.zip: SHOULD be an image. (Your file command confirmed this is JPEG data).
pancakerecipe.png: (This is the copy you made of pancakerecipe.txt).
pancakerecipe.txt: SHOULD be an image. (Your file command confirmed this is PNG data).
tasty.jpg: A standard image file.

Original Image Extensions: 3 (chuwi...jpg, dinosaur...jpeg, tasty.jpg)
Disguised Images: 2 (doggo.zip, pancakerecipe.txt)

Correct answer is: 5

7. Locating Hidden Directories and Flags

Linux hides files or folders that start with a dot (.). To see the hidden .Private folder, the -a flag is mandatory.

Command used: ls -al PersonalFiles/Work\ Stuff/

Once the folder was found, we read the flag using cat: cat PersonalFiles/Work\ Stuff/.Private/readme.txt

Q6.What is the flag value inside the text file within the hidden directory?

Flag Found: 106019BAL0S0A1

8. Pro-Tip: The Recursive “Scan”

To quickly identify every image in a lab environment (even those hidden with wrong extensions), you can combine file with grep: file * */* | grep -iE 'image|bitmap'

This command scans the current folder and one level of subfolders, filtering for any file the system recognizes as an image regardless of its name.

Summary for Students:

Don’t trust extensions. Use file.
Search, don’t wander. Use find.
See everything. Use ls -a to find hidden "dot" files.